raviole: Rework sepolicy

Change-Id: Idb0636bce2392beb720e420055a7bcb838725a18
2025-12-02 04:24:25 +02:00
parent b6e3a9bab5
commit 244d247b70
32 changed files with 95 additions and 38 deletions
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -24,5 +24,11 @@ BOARD_VENDOR_KERNEL_RAMDISK_KERNEL_MODULES_LOAD_RAW := $(strip $(shell cat $(DEV
 BOARD_VENDOR_KERNEL_RAMDISK_KERNEL_MODULES_LOAD += $(BOARD_VENDOR_KERNEL_RAMDISK_KERNEL_MODULES_LOAD_RAW)
 BOARD_VENDOR_KERNEL_RAMDISK_KERNEL_MODULES += $(addprefix $(KERNEL_MODULE_DIR)/, $(notdir $(BOARD_VENDOR_KERNEL_RAMDISK_KERNEL_MODULES_LOAD_RAW)))

+# SEPolicy
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    $(DEVICE_PATH)/sepolicy/vendor \
+    hardware/google/pixel-sepolicy/vibrator/common \
+    hardware/google/pixel-sepolicy/vibrator/cs40l25
+
 # WiFi
 include device/google/gs101/wifi/BoardConfig-wifi.mk
--- a/oriole/BoardConfig.mk
+++ b/oriole/BoardConfig.mk
@@ -10,7 +10,8 @@ TARGET_BOOTLOADER_BOARD_NAME := $(DEVICE_CODENAME)
 TARGET_SCREEN_DENSITY := 420

 # SEPolicy
-include device/google/raviole/sepolicy/oriole-sepolicy.mk
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    $(DEVICE_PATH)/sepolicy/$(DEVICE_CODENAME)/vendor

 include $(DEVICE_PATH)/BoardConfigCommon.mk

--- a/raven/BoardConfig.mk
+++ b/raven/BoardConfig.mk
@@ -10,7 +10,8 @@ TARGET_BOOTLOADER_BOARD_NAME := $(DEVICE_CODENAME)
 TARGET_SCREEN_DENSITY := 560

 # SEPolicy
-include device/google/raviole/sepolicy/raven-sepolicy.mk
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    $(DEVICE_PATH)/sepolicy/$(DEVICE_CODENAME)/vendor

 include $(DEVICE_PATH)/BoardConfigCommon.mk

--- a/sepolicy/oriole-sepolicy.mk
+++ b/sepolicy/oriole-sepolicy.mk
@@ -1,11 +0,0 @@
-# Oriole only sepolicy
-BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/oriole
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bcmbt/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/modem_svc_sit/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/stm/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/wireless_charger/sepolicy
-
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/vibrator/common
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/vibrator/cs40l25
--- a/sepolicy/oriole/euiccpixel_app.te
+++ b/sepolicy/oriole/euiccpixel_app.te
@@ -1,6 +0,0 @@
-# EuiccSupportPixel app
-
-userdebug_or_eng(`
-    allow euiccpixel_app sysfs_touch:dir search;
-')
-
--- a/sepolicy/oriole/grilservice_app.te
+++ b/sepolicy/oriole/grilservice_app.te
@@ -1 +0,0 @@
-allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
--- a/sepolicy/oriole/vendor/dump_stm.te
+++ b/sepolicy/oriole/vendor/dump_stm.te
@@ -0,0 +1,8 @@
+get_prop(dump_stm, vendor_touch_dump_path_prop)
+
+pixel_bugreport(dump_stm)
+
+allow dump_stm proc_touch:file rw_file_perms;
+allow dump_stm sysfs_touch:dir search;
+allow dump_stm sysfs_touch:file rw_file_perms;
+allow dump_stm vendor_toolbox_exec:file execute_no_trans;
--- a/sepolicy/oriole/vendor/file.te
+++ b/sepolicy/oriole/vendor/file.te
@@ -0,0 +1 @@
+type proc_touch, fs_type, proc_type;
--- a/sepolicy/oriole/vendor/file_contexts
+++ b/sepolicy/oriole/vendor/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/dump/dump_stm\.sh u:object_r:dump_stm_exec:s0
--- a/sepolicy/oriole/vendor/genfs_contexts
+++ b/sepolicy/oriole/vendor/genfs_contexts
@@ -0,0 +1,5 @@
+genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0
+genfscon proc /fts/driver_test u:object_r:proc_touch:s0
+genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0 u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0
+genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0 u:object_r:sysfs_touch:s0
--- a/sepolicy/oriole/vendor/init.te
+++ b/sepolicy/oriole/vendor/init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_touch_dump_path_prop)
--- a/sepolicy/oriole/vendor/property.te
+++ b/sepolicy/oriole/vendor/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_touch_dump_path_prop)
--- a/sepolicy/oriole/vendor/property_contexts
+++ b/sepolicy/oriole/vendor/property_contexts
@@ -0,0 +1 @@
+ro.vendor.touch.dump. u:object_r:vendor_touch_dump_path_prop:s0
--- a/sepolicy/raven-sepolicy.mk
+++ b/sepolicy/raven-sepolicy.mk
@@ -1,11 +0,0 @@
-# Ravne only sepolicy
-BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/raven
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bcmbt/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/modem_svc_sit/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/lsi/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/wireless_charger/sepolicy
-
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/vibrator/common
-BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/vibrator/cs40l25
--- a/sepolicy/raven/euiccpixel_app.te
+++ b/sepolicy/raven/euiccpixel_app.te
@@ -1,6 +0,0 @@
-# EuiccSupportPixel app
-
-userdebug_or_eng(`
-    allow euiccpixel_app sysfs_touch:dir search;
-')
-
--- a/sepolicy/raven/grilservice_app.te
+++ b/sepolicy/raven/grilservice_app.te
@@ -1 +0,0 @@
-allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
--- a/sepolicy/raven/vendor/cccdktimesync_app.te
+++ b/sepolicy/raven/vendor/cccdktimesync_app.te
--- a/sepolicy/raven/vendor/dump_lsi.te
+++ b/sepolicy/raven/vendor/dump_lsi.te
@@ -0,0 +1,5 @@
+pixel_bugreport(dump_lsi)
+
+allow dump_lsi sysfs_touch:dir r_dir_perms;
+allow dump_lsi sysfs_touch:file rw_file_perms;
+allow dump_lsi vendor_toolbox_exec:file execute_no_trans;
--- a/sepolicy/raven/vendor/file_contexts
+++ b/sepolicy/raven/vendor/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/dump/dump_lsi\.sh u:object_r:dump_lsi_exec:s0
--- a/sepolicy/raven/vendor/genfs_contexts
+++ b/sepolicy/raven/vendor/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0
--- a/sepolicy/vendor/dumpstate.te
+++ b/sepolicy/vendor/dumpstate.te
@@ -0,0 +1 @@
+binder_call(dumpstate, hal_wlcservice)
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -0,0 +1 @@
+type vendor_wlc_file, data_file_type, file_type;
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,4 @@
+/data/vendor/wireless_charger(/.*)? u:object_r:vendor_wlc_file:s0
+/vendor/bin/hw/vendor\.dolby\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0
+/vendor/bin/hw/vendor\.google\.wireless_charger-default u:object_r:hal_wireless_charger_exec:s0
+/vendor/bin/hw/vendor\.google\.wireless_charger\.service-default u:object_r:hal_wlcservice_exec:s0
--- a/sepolicy/vendor/hal_dumpstate.te
+++ b/sepolicy/vendor/hal_dumpstate.te
@@ -0,0 +1,3 @@
+allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_wlc:dir search;
+allow hal_dumpstate_default sysfs_wlc:file r_file_perms;
--- a/sepolicy/vendor/hal_googlebattery.te
+++ b/sepolicy/vendor/hal_googlebattery.te
@@ -0,0 +1,5 @@
+r_dir_file(hal_googlebattery, sysfs_wlc)
+
+set_prop(hal_googlebattery, vendor_wlcservice_prop)
+
+allow hal_googlebattery sysfs_wlc:file rw_file_perms;
--- a/sepolicy/vendor/hal_health.te
+++ b/sepolicy/vendor/hal_health.te
@@ -0,0 +1 @@
+binder_call(hal_health_default, hal_wlcservice)
--- a/sepolicy/vendor/hal_wireless_charger.te
+++ b/sepolicy/vendor/hal_wireless_charger.te
@@ -0,0 +1,17 @@
+type hal_wireless_charger_exec, exec_type, file_type, vendor_file_type;
+
+add_service(hal_wireless_charger, hal_wireless_charger_service)
+
+binder_call(hal_wireless_charger, hal_wlcservice)
+binder_call(hal_wireless_charger, platform_app)
+binder_call(hal_wireless_charger, servicemanager)
+binder_call(hal_wireless_charger, system_app)
+
+init_daemon_domain(hal_wireless_charger)
+
+r_dir_file(hal_wireless_charger, sysfs_batteryinfo)
+
+set_prop(hal_wireless_charger, vendor_wlcservice_prop)
+
+allow hal_wireless_charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow hal_wireless_charger sysfs_batteryinfo:file rw_file_perms;
--- a/sepolicy/vendor/hal_wlcservice.te
+++ b/sepolicy/vendor/hal_wlcservice.te
@@ -0,0 +1,22 @@
+type hal_wlcservice, domain;
+type hal_wlcservice_exec, exec_type, file_type, vendor_file_type;
+type hal_wlcservice_service, hal_service_type, protected_service, service_manager_type;
+
+add_service(hal_wlcservice, hal_wlcservice_service)
+
+binder_call(hal_wlcservice, hal_health_default)
+binder_call(hal_wlcservice, hal_wireless_charger)
+binder_call(hal_wlcservice, servicemanager)
+
+binder_use(hal_wlcservice)
+
+hal_client_domain(hal_wlcservice, hal_health)
+
+init_daemon_domain(hal_wlcservice)
+
+set_prop(hal_wlcservice, vendor_wlcservice_prop)
+
+allow hal_wlcservice hal_wireless_charger_service:service_manager find;
+allow hal_wlcservice kmsg_device:chr_file { getattr w_file_perms };
+allow hal_wlcservice vendor_wlc_file:dir create_dir_perms;
+allow hal_wlcservice vendor_wlc_file:file create_file_perms;
--- a/sepolicy/vendor/property.te
+++ b/sepolicy/vendor/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_wlcservice_prop)
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -0,0 +1,3 @@
+vendor.wlcservice.fwupdate.tx u:object_r:vendor_wlcservice_prop:s0 exact enum 0 1 2 3
+vendor.wlcservice.start u:object_r:vendor_wlcservice_prop:s0 exact bool
+vendor.wlcservice.test.authentication u:object_r:vendor_wlcservice_prop:s0 exact bool
--- a/sepolicy/vendor/service_contexts
+++ b/sepolicy/vendor/service_contexts
@@ -0,0 +1 @@
+vendor.google.wireless_charger.service.IWlcService/default u:object_r:hal_wlcservice_service:s0
--- a/sepolicy/vendor/servicemanager.te
+++ b/sepolicy/vendor/servicemanager.te
@@ -0,0 +1 @@
+binder_call(servicemanager, hal_wlcservice)
				`@@ -1 +0,0 @@`
				`allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;`
				`@@ -0,0 +1 @@`
				`/vendor/bin/dump/dump_stm\.sh u:object_r:dump_stm_exec:s0`
				`@@ -0,0 +1 @@`
				`set_prop(vendor_init, vendor_touch_dump_path_prop)`
				`@@ -0,0 +1 @@`
				`vendor_internal_prop(vendor_touch_dump_path_prop)`
				`@@ -0,0 +1 @@`
				`ro.vendor.touch.dump. u:object_r:vendor_touch_dump_path_prop:s0`
				`@@ -0,0 +1 @@`
				`/vendor/bin/dump/dump_lsi\.sh u:object_r:dump_lsi_exec:s0`
				`@@ -0,0 +1 @@`
				`genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0`
				`@@ -0,0 +1 @@`
				`type vendor_wlc_file, data_file_type, file_type;`
				`@@ -0,0 +1 @@`
				`binder_call(hal_health_default, hal_wlcservice)`
				`@@ -0,0 +1 @@`
				`vendor_internal_prop(vendor_wlcservice_prop)`